 |
 |
Hi, XRootD 5 (together with dmlite 1.14.1) was pushed in EPEL and for CMS you'll probably need at least compatible xrootd-cmstfc plugin compiled for this XRootD version. In dpm-users mailing list there was a link to OSG build system https://koji.chtc.wisc.edu/koji/buildinfo?buildID=13957 Also libXrdSecgsiAUTHZVO-4.so doesn't look like right library for XRootD 5 but XRootD is probably clever enough to find right version. On the other side we use libXrdSecgsiVOMS.so from xrootd-voms package with sec.protocol /usr/lib64 gsi -crl:3 -key:/etc/grid-security/dpmmgr/dpmkey.pem -cert:/etc/grid-security/dpmmgr/dpmcert.pem -md:sha256:sha1 -ca:2 -gmapopt:10 -vomsfun:/usr/lib64/libXrdSecgsiVOMS.so but our site doesn't provide storage for CMS experiment so I can't 100% guarantee this is right configuration also for you. I just tried libXrdSecgsiAUTHZVO on our testbed and I'm getting same error: 201102 10:28:17 25907 XrdInet: Accepted connection from [log in to unmask] 201102 10:28:17 25907 XrdProtLoad: matched port 1094 protocol xroot 201102 10:28:17 25907 anon.0:31@ui1 XrdPoll: FD 31 attached to poller 0; num=2 201102 10:28:17 25906 XrdSched: running main accept inq=0 INFO in AuthzKey: Returning creds of len 9396 as key. AuthzVO: Invalid cert; vo missing 201102 10:28:17 25907 secgsi_Authenticate: ERROR: the authz plug-in reported failure 201102 10:28:17 25907 XrootdXeq: User authentication failed; Petr On 11/2/20 9:47 AM, "Geonmo Ryu" wrote: > > Hello, Yang. > > > > Our XRootD version is, > > > > Old version is "4.12.2-1.el7" > > New version is : "5.0.2-1.el7" > > > > By the way, it doesn't work well with non-eXtended attribute (NoXA) > storage after the upgrade. > > > > I know xrootd team warned me to change it for a long time, but can't > you still set it up to be compatible? > > > > Regards, > > > > > -------------------------------------------------------------------------------------------------- > *Geonmo Ryu / 류건모* > > Korea Institute of Science and Technology Information (KISTI) > Global Science experimental Data hub Center (GSDC) > 245 Daehak-ro, Yuseong-gu, Daejeon, 305-806, Republic of Korea > Tel : +82-42-869-1639 > E-mail: (CMS Helpdesk) [log in to unmask] / (Contact) > [log in to unmask] > -------------------------------------------------------------------------------------------------- > > > > > > > > > > > > > > -----------------------원본 메세지----------------------- > 보낸사람: "Yang, Wei > "<[log in to unmask]> > 받는사람: "Geonmo Ryu" <[log in to unmask]>,xrootd-l > <[log in to unmask]> > 보낸시간: 2020-11-02 17:28:45 GMT +0900 (ROK) > 제목: Re: After updating XRootD Package, I would like to inquire > about the failure of authentication using GSI certificate. > > > > > > Hi Geonmo, > > > > What version of Xrootd you were running (if that works) and what > version of Xrootd you are running now that doesn’t work? > > > > regards, > > -- > > Wei Yang | [log in to unmask] > <mailto:[log in to unmask]> | 650-926-3338(O) > > > > On 11/1/20, 10:46 PM, "[log in to unmask] > <mailto:[log in to unmask]> on behalf of "Geonmo Ryu"" > <[log in to unmask] <mailto:[log in to unmask]> on > behalf of [log in to unmask] <mailto:[log in to unmask]>> wrote: > > > > Hello, XRootD users, > > > > I am contacting you because GSI has not been authenticated since > the XRootD package was automatically updated. > > > > We are using the XRootD Proxy Server for a global federation of > CMS experiment. > > > > The authentication of the server has problems. > > > > The log is as follows: Please contact me if you need the entire log. > > > > 201102 15:33:21 6455 secgsi_Authenticate: ERROR: the authz plug-in > reported failure > > 201102 15:33:21 6455 XrootdXeq: User authentication failed; > > 201102 15:33:21 6455 geonmo.11757:25@cms-t2-se01 XrootdResponse: > sending err 3030: > > 201102 15:33:21 6455 XrootdXeq: geonmo.11757:25@cms-t2-se01 disc > 0:00:00 > > 201102 15:33:21 44816 geonmo.11757:24@cms-t2-se01 XrootdProtocol: > more auth requested; sz=2699 > > INFO in AuthzKey: Returning creds of len 7588 as key. > > AuthzVO: Invalid cert; vo missing > > > > The xrootd configuration for GSI auth is, > > > > # X509 configuration, change nothing > > xrootd.seclib /usr/lib64/libXrdSec.so > > sec.protocol /usr/lib64 gsi > -authzfun:/usr/lib64/libXrdSecgsiAUTHZVO-4.so -gmapopt:10 > -gmapto:0 -ca:1 -crl:1 -authzfunparms:debug=1,valido=cms,vo2grp=%s > > acc.authdb /etc/xrootd/auth_file > > acc.authrefresh 60 > > ofs.authorize > > > > Regards, > > > > > > -------------------------------------------------------------------------------------------------- > *Geonmo Ryu / **류건모* > > Korea Institute of Science and Technology Information (KISTI) > Global Science experimental Data hub Center (GSDC) > 245 Daehak-ro, Yuseong-gu, Daejeon, 305-806, Republic of Korea > Tel : +82-42-869-1639 > E-mail: (CMS Helpdesk) [log in to unmask] / (Contact) > [log in to unmask] > -------------------------------------------------------------------------------------------------- > > > > > > > > > > > > > > > Image removed by sender. > > ------------------------------------------------------------------------ > > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > > > ------------------------------------------------------------------------ > > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > > > > > ------------------------------------------------------------------------ > > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1